vulnerability
Arch Linux: Arbitrary command execution (CVE-2017-1000083)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:N/C:P/I:P/A:P) | Sep 5, 2017 | Jul 11, 2025 | Nov 27, 2025 |
Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
Sep 5, 2017
Added
Jul 11, 2025
Modified
Nov 27, 2025
Description
The comic book backend in evince <= 3.24.0 is vulnerable to a command injection bug that can be used to execute arbitrary commands when a cbt file is opened.
CBT files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive. While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
This can presumably be triggered by the evince thumbnailer, which is not sandboxed, and web browsers that allow untrusted websites to auto-downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run so this is web exposed.
CBT files are simple tar archives containing images. When a cbt file is processed, evince calls "tar -xOf $archive $filename" for every image file in the archive. While both the archive name and the filename are quoted to not be interpreted by the shell, the filename is completely attacker controlled an can start with "--" which leads to tar interpreting it as a command line flag. This can be exploited by creating a tar archive with an embedded file named something like this: "--checkpoint-action=exec=bash -c 'touch ~/covfefe.evince;'.jpg"
This can presumably be triggered by the evince thumbnailer, which is not sandboxed, and web browsers that allow untrusted websites to auto-downloading files without user interaction (Chrome, Epiphany) can trigger the thumbnailer to run so this is web exposed.
Solution
arch-linux-upgrade-latest
References
- CVE-2017-100008
- https://attackerkb.com/topics/CVE-2017-100008
- URL-http://seclists.org/oss-sec/2017/q3/128
- URL-http://www.debian.org/security/2017/dsa-3911
- URL-http://www.securityfocus.com/bid/99597
- URL-https://access.redhat.com/errata/RHSA-2017:2388
- URL-https://bugzilla.gnome.org/show_bug.cgi?id=784630
- URL-https://github.com/GNOME/evince/commit/717df38fd8509bf883b70d680c9b1b3cf36732ee
- URL-https://security.archlinux.org/ASA-201707-14
- URL-https://www.exploit-db.com/exploits/45824/
- URL-https://www.exploit-db.com/exploits/46341/
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.